Here are some of most common WordPress Plugins have XSS security vulnerabilities need to update immediately. Let’s check and fix in as soon as possible.
Last week, security firm Sucuri has discovered that a large number of WordPress plugins have security vulnerabilities (XSS Vulnerability) allowing hackers access to websites running outdated versions of these plugins. After worked with the WordPress core security team, They have listed 17 WordPress Plugins Have Security Vulnerabilities need to update for a WordPress website. This is not means a complete list vulnerable Plugins to Cross-site Scripting but it is popular plugins used by many webmasters.
List Plugins Have Security Vulnerabilities:
Jetpack WordPress Plugin
The vulnerability Sucuri discovered would allow an attacker to send a WordPress user with administrative rights a link which could execute malicious JavaScript. The vulnerability was introduced in Jetpack 3.0 and to date we have no evidence of this being exploited. However, now that this update is public, it’s more likely that exploits may occur. To avoid a breach, you should update your site as soon as possible.
WordPress SEO plugin and Google Analytics by Yoast plugin
The main issue are wrong usage of add_query_arg
and remove_query_arg.
It
have in both our WordPress SEO plugin and Google Analytics by Yoast plugin.
All In one SEO WordPress Plugin
Patched security vulnerability with use of add_query_arg (https://codex.wordpress.org/Function_Reference/add_query_arg) reported by Joost de Valk
Gravity Forms WordPress Plugin
The security issue that Gravity Forms have patched is minor and not something that can be exploited without the user having admin access to your WordPress Dashboard. However, this may not be the case with the many other plugins that may be impacted.
Easy Digital Downloads WordPress Plugin
Easy Digital Downloads update resolves a security vulnerability due to improper usage of the add_query_arg() function, there were several locations in Easy Digital Downloads that were possibly susceptible to Cross-site Scripting attacks.
UpdraftPlus WordPress Plugin
In UpdraftPlus, the danger is as follows: an attacker would need to a) send you a specially crafted link, and b) persuade you to click on it, on a computer on which you are also logged in to the WordPress dashboard on your site, with admin privileges. If you clicked on that link, then the attacker could run code in your dashboard page one time (i.e. not persistent – it won’t remain in your dashboard), performing UpdraftPlus administrative actions (e.g. download a backup, run a backup, delete a backup). We do not believe that there is a way for an attacker to upload and restore their own backup. (i.e. They cannot modify your site through injecting and restoring their own backups).
WP-E-Commerce WordPress Plugin
Fix potential reflexive XSS issue with add_query_arg() and remove_query_arg() usage. Update is highly recommended.
WPtouch Mobile WordPress Plugin
Fixed: add_query_arg/remove_query_arg vulnerability
Download Monitor WordPress Plugin and Related Posts for WordPress
Download Monitor WordPress Plugin and Related Posts for WordPress have this vulnerability in the WordPress backend meaning the XSS vulnerability could only be exploited if a logged in user would click a malicious link while being logged in.
My Calendar WordPress Plugin
If you’re currently running any version in the 2.3.x branch of My Calendar, your site is vulnerable. If you’re on an older version of My Calendar, you are not vulnerable to this security issue, but you may be vulnerable to a security issue I fixed in version 2.3.10.
P3 (Plugin Performance Profiler) WordPress Plugin
Security update: Escape URLs returned by add_query_arg and remove_query_arg
Give – Democratizing Generosity WordPress Plugin
Security: Hardened URLs with esc_url() across the plugin core
Multiple iThemes products including Builder and Exchange
The main issue iThemes are fixing with this release is the wrong usage of add_query_arg and remove_query_arg functions used in these plugins and themes. The WordPress functions add_query_var() and remove_query_var() were assumed to produce a safe to use URL, but that’s not always the case. Carefully crafted URLs could result in what is called reflected XSS, which basically means that when the dangerous URL is accessed, some javascript could be injected into the page and run.
Broken Link Checker WordPress Plugin
Fixed a serious CSRF/XSS vulnerability.
Ninja Forms WordPress Plugin
The vulnerability only affected pages within the wp-admin. That means that a user would need to be logged-in as an admin before they could do anything malicious.
Source from: Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins